The RFC 8314,
recently published, recommends that mail servers use "implicit TLS"
(automatic use of TLS on a dedicated TCP port) rather than "explicit
TLS" (use of TLS triggered by STARTTLS or similar on
otherwise cleartext standard TCP port) on all user-facing services (mail
submission with SMTP and mail retrieval with POP or IMAP).
My own server, mail.incenp.org, was configured to offer only
explicit TLS both for submission (on TCP port 587) and for mail
retrieval (on standard IMAP TCP port 143). I describe here how to
transition to the implicit TLS situation recommended by RFC 8314.
What needs to be changed?
In addition to the obvious changes that need to be made to the
configuration of the SMTP and IMAP servers (Postfix and Dovecot, respectively), there are several
other things to update:
the firewall configuration (open TCP ports 465 and 993);
the mail server certificate (add SRV-IDs for
the DNS zone (add SRV
records for _imaps._tcp.incenp.org and
_submissions._tcp.incenp.org, and TLSA records for
In which order?
I suggest the following order:
Generate a new certificate for mail.incenp.org (I use the
same certificate both for the SMTP and the IMAP server) with the new
SRV-IDs, along with the old SRV-IDs for the standard ports.
Publish the new TLSA records.
Configure Postfix to listen on port 465 with implicit TLS, while
still offering explicit TLS on standard submission port 587.
Likewise, configure Dovecot to listen on port 993 with implicit
TLS, while still offering explicit TLS on standard IMAP port
Open TCP ports 465 and 993 in the firewall.
Check with the clients that everything is working fine.
Publish the new SRV records for the implicit TLS services. Assign them a
lower priority than the existing records for explicit TLS services (as
recommended by RFC 8314
The server is now in a “transitional state”, in which it offers both
implicit TLS on ports 465 and 993, and explicit TLS on ports 587 and and
143. To reach the final state recommended by RFC 8314, in which only implicit
TLS is offered:
Remove the old SRV records for _imap._tcp.incenp.org
Close TCP ports 143 and 587 in the firewall.
Configure Postfix to stop listening on port 587 and Dovecot to
stop listening on port 143.
Remove old TLSA records for ports 587 and 143.
Optionally, generate a new certificate for
mail.incenp.org without the old SRV-IDs. This can easily
wait until the certificate has to be renewed.